CMMC

There Is No CMMC Deadline

By Arnold De La Vega
LinkedIn post titled 'The CMMC Clock is Ticking: Is Your Business Ready for Phase 2?' from 909Cyber, warning about an October 2026 deadline and selling NIST 800-171 readiness, CMMC L2 roadmaps, and audit prep
Real LinkedIn post in the wild. Note the "October 2026 deadline." Phase 2 actually starts November 10, 2026, and it isn't a deadline. Even the panic posts can't get the date right.

There is no CMMC deadline.

There are hundreds of them. Maybe thousands. And only one of them is yours.

If you’ve been on LinkedIn the last six months, you’ve seen the panic. “80,000 contractors need to be CMMC Level 2 certified by November 2026.” “The deadline is coming.” “If you’re not ready, you’re done.”

Almost all of it is wrong. Or, more charitably, it’s right for some people and completely irrelevant for others, and nobody is bothering to tell you which group you’re in.

This article tells you which group you’re in.

The myth: “November 2026 is the deadline”

Let me settle this with the actual text of the rule.

Go to 32 CFR §170.3(e)(2). That is the section of the CMMC rule that describes Phase 2 of the phased rollout. It is four sentences long. Here it is, in full:

Begins one calendar year following the start date of Phase 1. In addition to Phase 1 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 2 (C3PAO) to an option period instead of as a condition of contract award. DoD may also, at its discretion, include the requirement for CMMC Status of Level 3 (DIBCAC) for applicable DoD solicitations and contracts.

Screenshot of 32 CFR §170.3(e)(2), the four-sentence Phase 2 paragraph from the CMMC final rule
32 CFR §170.3(e)(2): Phase 2, in full. Every operative verb is "intends to include" or "may, at its discretion." Neither is a deadline.

Read it twice. Every operative verb is intends or may at its discretion. No “shall,” no “must,” no “by.” It does not say “all contractors must be certified by November 2026.” It does not say anything close to that.

What it says is that Phase 2 begins in November 2026.

That’s it. That’s the whole “November 2026 deadline.” It’s the date when DoD starts inserting more L2 C3PAO certification requirements into more applicable solicitations. Not all contracts. Not all contractors. Applicable solicitations.

If you’re not bidding on anything in November 2026, November 2026 doesn’t matter to you.

If your prime told you the deadline is summer, your deadline is summer, not November.

If you’re chasing an award that drops in Q1 2027, your real deadline is whatever date you need to be assessment-ready by minus the procurement administrative lead time minus your implementation runway. That might be next month. That might be next year.

The November 2026 cliff doesn’t exist.

What the phased rollout actually says

CMMC rolls out in four phases over four years. Then DoD estimates another three years for existing contracts to age off, which is where the “seven-year rollout” framing comes from.

PhaseWhenWhat changes
Phase 1Started Nov 10, 2025L1 and L2 self-assessment in applicable solicitations. DoD discretion to require L2 C3PAO if they want.
Phase 2Starts Nov 2026L2 C3PAO becomes the default for applicable solicitations.
Phase 3~Nov 2027L2 cert flows into option periods. L3 starts appearing.
Phase 4~Nov 2028Full implementation. All applicable levels in all applicable contracts.

Two things you have to understand about this table.

First, the phases are cumulative. Phase 2 doesn’t replace Phase 1. Phase 4 doesn’t replace Phase 3. As the rule itself says: “Requirements from earlier phases continue as each additional phase is implemented.”

Second, and this is the part everyone misses, the rule explicitly gives DoD discretion to override its own schedule. Each section of the phase rollout includes language that DoD can pull requirements forward, push them into option periods, elevate them, or reduce them.

So the schedule is more of a suggestion than a contract. Which is exactly why your real deadline is set by something other than the schedule.

Where your real deadline actually comes from

Three things determine when you actually need CMMC. Whichever hits you first wins.

1. Your prime customer

If you’re a sub to Lockheed, Northrop, RTX, BAE, L3Harris, HII, or any of the mega primes, your timeline is whatever they say it is. And what they’re saying right now is earlier than the rule says.

The cleanest example is the April 6, 2026 letter from L3Harris Missile Solutions to its supply chain. Signed by Paul Morgan, Vice President, Supply Chain/Materiel Management. Subject line: “CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) – Action Needed.”

L3Harris Missile Solutions supplier letter dated April 6, 2026, signed by VP Paul Morgan, requiring suppliers to submit CMMC Level 2 assessment report and C3PAO-issued L2 certificate no later than July 30, 2026
L3Harris to its suppliers: produce a CMMC Level 2 assessment report and a C3PAO-issued L2 certificate no later than July 30, 2026. That's three full months before Phase 2 even starts.

Read the deadline: “we are requesting that our suppliers become certified no later than July 30, 2026.” Phase 2 of the rule starts November 10, 2026. L3Harris is asking for certification three months and 11 days earlier than the rule’s own schedule. They are not asking nicely either: “Suppliers who do not qualify for certification at Level 2 will be precluded from the program.”

This is the whole article in one letter. The rule says one date. The prime sets a different, earlier date. The supplier’s real deadline is the prime’s date, not the rule’s.

L3Harris isn’t unique. Northrop Grumman sent its own version in December 2025, titled “CMMC 2.0 Is Final. Are You Ready?”, making two points worth keeping in mind no matter which prime you sell to:

  1. If a prime needs L2 C3PAO and you handle CUI on the contract, you need L2 C3PAO. There is no path around this. It comes directly from 32 CFR §170.23(a)(3).
  2. Primes cannot waive your CMMC requirement. Neither can contracting officers. Waivers happen at a level above both of them, before the solicitation ever hits the street.

The language Northrop used: “We encourage you to proactively prepare to comply with this future contractual requirement.”

Translate: “Get certified or get off our supply chain.”

2. The specific contract you want to win

DoD publishes long-range acquisition forecasts. Every component does it. NAVWAR, NAVSEA, NAVSUP, NAVFAC, Army Corps, SOCOM, all of them have public-facing pages that tell you when they plan to put solicitations out and when they plan to award.

This is the only schedule that matters to you.

If a contract you want awards in Q3 2027 with a 90-day procurement administrative lead time (PAL), then your deadline isn’t November 2026. It isn’t 2028. Your assessment needs to be done before that 90-day window closes.

Which means, and this is where most people get hosed, you need to start your implementation before the solicitation is published. The math is brutal:

  • Three to four months to evaluate options, decide, and sign with an implementer
  • Three to four months for that implementer to clear their backlog and kick you off
  • Two to three months to stand up and operate in the new environment
  • A C3PAO assessment on top of that
  • And your PAL window from your customer might only be 90 days

If you wait until the solicitation drops to start, the window has already closed. Math it out backward from the award date. That’s your deadline.

3. DoD program office discretion

Even when the rule says “Phase 2 starts in November 2026,” any DoD program manager can decide their program needs L2 C3PAO sooner. They’ve been doing it. The phased rollout doesn’t constrain them.

If you’re working on something risk-elevated, mission-critical production, naval nuclear propulsion, controlled technical information on weapons systems, anything in a program office that’s getting heat from above, your program office can pull L2 or even L3 forward without asking permission.

The agencies are all on different schedules

This is the part of the article that ends the debate. Every agency is doing its own thing. Here are the receipts.

DLA (Defense Logistics Agency)

DLA is the model for how this should be communicated. On the DLA Small Business Cybersecurity Resources for Suppliers page, they publish a table titled “Supply Class to CMMC Level Expectation Breakout” that tells you, by supply class, what percentage of contracts will require what level.

DLA 'Supply Class to CMMC Level Expectation Breakout' table showing per-supply-class CMMC level percentages: Class I food at 95% L2 Self / 5% L2 C3PAO; Class II clothing 70/30; Class III petroleum 95% L1 / 4% L2 / 1% L3; Class IV construction 72/28; Class VIII medical 98/2
From DLA's Cybersecurity Resources page. The "deadline" doesn't exist as a single date. It exists as a probability distribution by supply class.

Some of the highlights from the table:

  • 25% of total DLA procurements will require CMMC at all. (The rest are commercial off-the-shelf and exempt.)
  • Class I (Subsistence — food, water, paper products, bottled water): 95% L2 Self, 5% L2 C3PAO.
  • Class III (Petroleum, lubricants, chemicals, coal): 95% L1, 4% combined L2 Self / C3PAO, 1% L3.
  • Class IV (Construction materials and fortification): 72% L2 Self, 28% L2 C3PAO.
  • Class VIII (Medical materiel): 98% L2 Self, 2% L2 C3PAO.
  • Service contracts: 1% L1, 12% L2 Self, 73% L2 C3PAO, 10% L3.

If you’re a DLA supplier, your odds of needing each level vary wildly by what you sell. Service contractors are far more likely to need L3 than fuel suppliers. Food vendors will mostly self-assess. A construction-materials supplier has nearly a 1-in-3 chance of needing L2 C3PAO. None of these contractors share a “deadline.” They share a probability distribution.

Army Corps of Engineers

Army Corps has been the most aggressive component on SAM.gov. As of late 2025, the majority of CMMC-tagged solicitations on SAM.gov were Army Corps notices.

The headline receipt is a Special Notice posted by USACE Headquarters’ Directorate of Contracting on September 2, 2025, titled “UPDATE - Cybersecurity Maturity Model Certification (CMMC) 2.0 Implementation.” It’s been updated twice since (UPDATE #1 and UPDATE #2, the latest on October 23, 2025), each one tightening guidance for industry.

SAM.gov page for the U.S. Army Corps of Engineers Special Notice 'UPDATE - Cybersecurity Maturity Model Certification (CMMC) 2.0 Implementation,' originally published September 2, 2025, updated October 23, 2025, issued by USACE Headquarters Directorate of Contracting
USACE Headquarters' SAM.gov posting. The canonical Army Corps notice on CMMC. Individual districts (Vicksburg, Mobile, Seattle, Japan) have layered their own briefings on top of it.

Army Corps districts have been pulling CMMC forward into specific solicitations: ground-based strategic deterrent construction, base housing in Yokosuka, microelectronics work, and specialty construction. The point isn’t any one notice. It’s that Army Corps stopped waiting for the rule’s phased rollout and started writing CMMC into individual procurements months ahead.

NAVFAC Southwest PDC

NAVFAC Southwest’s Planning, Design and Construction (PDC) office posted a “Notice to Industry” covering all NAVFAC SW Multiple Award Construction Contracts (MACCs) and Architect-Engineer IDIQ Contracts. The exact language:

In order to receive an IDIQ award from NAVFAC SW PDC, on or after November 10, 2026, prospective contractors must show that they have obtained a CMMC Level 2 (C3PAO) or higher. Task orders issued under NAVFAC SW IDIQs may be assigned a CMMC Level below Level 2 (C3PAO); however, for the majority of work under Construction and Architect-Engineering IDIQs, it is anticipated that a Level 2 (C3PAO) certification will be required after November 10, 2026.

Screenshot of the NAVFAC Southwest 'Notice to Industry – Application of Cybersecurity Maturity Model Certification (CMMC) Requirements' description, stating contractors must show CMMC Level 2 C3PAO or higher to receive an IDIQ award on or after November 10, 2026
NAVFAC Southwest PDC's Notice to Industry. Worth noting: the notice references the "Department of War (DoW)," the formal post-2025 rename of DoD.

For NAVFAC Southwest IDIQ holders, November 10, 2026 is a real deadline. And it’s not the rule’s deadline. It’s NAVFAC’s deadline, which happens to coincide with Phase 2 because NAVFAC chose to align with it. Other components didn’t.

SOCOM, NAVSEA, NAVWAR, NAVSUP

Every one of these components has its own pace. SOCOM contracts have run on different timelines than Navy direct contracts. NAVSEA has its own supplier expectations. NAVWAR has been issuing its own guidance.

None of them are aligned to a single “November 2026” event. Each is making its own decisions about which programs need L2 C3PAO, which need L2 self, which need L3, and when.

The mega primes

L3Harris isn’t alone. Lockheed, Northrop, RTX, BAE, and HII have all set their own internal timelines that are usually earlier than the DoD rollout, because the primes need their entire supply chain ready before they respond to a solicitation.

If your prime is bidding on a Q4 2026 award, they need you certified before they submit the bid, not before the contract is awarded. That can pull your deadline forward by three to nine months from whatever DoD’s rollout suggests.

What about waivers?

People ask us about waivers a lot. Short answer: don’t plan on getting one.

From the January 2025 DoD acquisition memo on the CMMC waiver process:

  • Level 1: no waivers. Period.
  • Level 2 self-assessment: no waivers.
  • Level 2 C3PAO: waivers exist but will be “rare,” must include a planned expiration date, and must be approved on an entire class of procurements (not a single company).

Waivers are a pre-solicitation process. Once the requirement hits the solicitation, no waiver process exists. If you’re hoping to wait until you see CMMC in a solicitation and then ask for a waiver, you’re too late.

Waivers also apply to the contract, not the contractor. You don’t get personally waived. The whole contract gets waived for everyone bidding on it. Which almost never happens.

The two extremes that are both wrong

Almost everyone interprets the phased rollout at one of two extremes. Both are wrong.

Extreme 1: “Everyone needs L2 by November 2026.”

Wrong. The rule says no such thing. November 2026 is when Phase 2 starts, not when anyone has to finish.

Extreme 2: “I have until 2028.”

Also wrong. DoD can pull requirements forward. Primes can demand it sooner. Specific program offices can require it for their programs whenever they want. By the time you see it in a solicitation, the window has closed.

The correct read is in the middle: the rollout is gradual, it’s tied to procurement, and your specific deadline depends on your specific situation.

How to actually find your real deadline

Here’s the process:

  1. List the contracts you want to win in the next 24 months. Direct DoD contracts, prime subcontracts, IDIQ task orders, all of it.
  2. For each one, find the anticipated award date. DoD long-range acquisition forecasts, your prime’s bid pipeline, your program office’s published schedule, SAM.gov advance notices.
  3. Subtract the procurement administrative lead time (PAL). Usually 60–120 days. Sometimes shorter. Ask your contracting officer or check past awards on the same vehicle.
  4. Subtract your assessment runway. Allow 30–90 days for a C3PAO assessment.
  5. Subtract your implementation runway. Six to twelve months minimum if you’re starting from scratch. Less if you’ve already done DFARS 7012 work.
  6. The earliest of all those dates is your real deadline.

It will not be November 2026 for most people. It might be sooner. It might be later. It depends on which contracts you’re chasing.

The bottom line

There is no CMMC deadline.

There is your CMMC deadline, set by the contracts you want to win, the primes you sell to, and the program offices that buy from you.

The rule is gradual on purpose. The rollout is fragmented on purpose. Every component, every prime, every program office is making its own decisions on its own timeline. The only way to know your real deadline is to look at the specific contracts you’re going after and work backward.

Stop reading the rule like it’s a single deadline. Start reading your customers’ procurement schedules like they’re the deadline. Because they are.

Find Out Where You Stand

Tell us about your situation. We'll tell you whether certification applies, what level you need, and what it takes to get there.

30 minutes. No obligation. Real answers.